You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Attila Magyar <am...@hortonworks.com> on 2017/05/24 09:32:14 UTC
Review Request 59520: Custom RM principal causes zookeeper HA state
store to be inaccessible
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/
-----------------------------------------------------------
Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-20877
https://issues.apache.org/jira/browse/AMBARI-20877
Repository: ambari
Description
-------
HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
Diffs
-----
ambari-agent/src/test/python/resource_management/TestSecurityCommons.py 870ca92
ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py 9ceeea7
ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py 3579fcb
ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py 66194ed
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
Diff: https://reviews.apache.org/r/59520/diff/1/
Testing
-------
- Create a cluster with yarn, hdfs
- enabled kerberos using custom principal names
- checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
Tests: PENDING
Thanks,
Attila Magyar
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Alejandro Fernandez <af...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review175949
-----------------------------------------------------------
Ship it!
Ship It!
- Alejandro Fernandez
On May 24, 2017, 9:32 a.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 24, 2017, 9:32 a.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-agent/src/test/python/resource_management/TestSecurityCommons.py 870ca92
> ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py 9ceeea7
> ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py 3579fcb
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py 66194ed
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
>
>
> Diff: https://reviews.apache.org/r/59520/diff/1/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review175943
-----------------------------------------------------------
Fix it, then Ship it!
Ship It!
ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py
Lines 288 (patched)
<https://reviews.apache.org/r/59520/#comment249285>
Can you add docs to this?
- Robert Levas
On May 24, 2017, 5:32 a.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 24, 2017, 5:32 a.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-agent/src/test/python/resource_management/TestSecurityCommons.py 870ca92
> ambari-common/src/main/python/resource_management/libraries/functions/security_commons.py 9ceeea7
> ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py 3579fcb
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/package/scripts/params_linux.py 66194ed
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
>
>
> Diff: https://reviews.apache.org/r/59520/diff/1/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review176270
-----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java
Lines 428 (patched)
<https://reviews.apache.org/r/59520/#comment249641>
The map that is returned should have keys that indicate the _path_ to the Kerberos identitiy rather than just the simple name of the Kerberos identity. By using just the name, you run the risk of collisions since names do not need to be unique, but _paths_ do.
For example:
`resource_manager_rm` -> `/YARN/RESOURCEMANAGER/resource_manager_rm`
`smokeuser` --> `/smokeuser'
- Robert Levas
On May 29, 2017, 9:53 a.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 29, 2017, 9:53 a.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6a403c6
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e654c72
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
>
>
> Diff: https://reviews.apache.org/r/59520/diff/3/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review176300
-----------------------------------------------------------
Ship it!
Ship It!
- Sebastian Toader
On May 30, 2017, 3:15 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 30, 2017, 3:15 p.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-server/docs/security/kerberos/kerberos_descriptor.md 54af50f
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6a403c6
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e654c72
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java a63da61
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
>
>
> Diff: https://reviews.apache.org/r/59520/diff/4/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Alejandro Fernandez <af...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review176621
-----------------------------------------------------------
Ship it!
Ship It!
- Alejandro Fernandez
On May 30, 2017, 1:15 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 30, 2017, 1:15 p.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-server/docs/security/kerberos/kerberos_descriptor.md 54af50f
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6a403c6
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e654c72
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java a63da61
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
>
>
> Diff: https://reviews.apache.org/r/59520/diff/4/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review176301
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On May 30, 2017, 9:15 a.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 30, 2017, 9:15 a.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-server/docs/security/kerberos/kerberos_descriptor.md 54af50f
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6a403c6
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e654c72
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java a63da61
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
>
>
> Diff: https://reviews.apache.org/r/59520/diff/4/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Attila Magyar <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/
-----------------------------------------------------------
(Updated May 30, 2017, 1:15 p.m.)
Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
Bugs: AMBARI-20877
https://issues.apache.org/jira/browse/AMBARI-20877
Repository: ambari
Description
-------
HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
Diffs (updated)
-----
ambari-server/docs/security/kerberos/kerberos_descriptor.md 54af50f
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6a403c6
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e654c72
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java a63da61
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
Diff: https://reviews.apache.org/r/59520/diff/4/
Changes: https://reviews.apache.org/r/59520/diff/3-4/
Testing
-------
- Create a cluster with yarn, hdfs
- enabled kerberos using custom principal names
- checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
Tests: PENDING
Thanks,
Attila Magyar
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Attila Magyar <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/
-----------------------------------------------------------
(Updated May 29, 2017, 1:53 p.m.)
Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
Changes
-------
added comment, fixed tests
Bugs: AMBARI-20877
https://issues.apache.org/jira/browse/AMBARI-20877
Repository: ambari
Description
-------
HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 6a403c6
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java e654c72
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
Diff: https://reviews.apache.org/r/59520/diff/3/
Changes: https://reviews.apache.org/r/59520/diff/2-3/
Testing
-------
- Create a cluster with yarn, hdfs
- enabled kerberos using custom principal names
- checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
Tests: PENDING
Thanks,
Attila Magyar
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Sebastian Toader <st...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review176256
-----------------------------------------------------------
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
Lines 1233 (patched)
<https://reviews.apache.org/r/59520/#comment249630>
Add some comment that explains how this works with the constructs stored in ```kerberos.json``` files
- Sebastian Toader
On May 26, 2017, 6:44 p.m., Attila Magyar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
>
> (Updated May 26, 2017, 6:44 p.m.)
>
>
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
>
>
> Bugs: AMBARI-20877
> https://issues.apache.org/jira/browse/AMBARI-20877
>
>
> Repository: ambari
>
>
> Description
> -------
>
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
> If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 5c4728a
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
>
>
> Diff: https://reviews.apache.org/r/59520/diff/2/
>
>
> Testing
> -------
>
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
>
>
> Tests: PENDING
>
>
> Thanks,
>
> Attila Magyar
>
>
Re: Review Request 59520: Custom RM principal causes zookeeper HA
state store to be inaccessible
Posted by Attila Magyar <am...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/
-----------------------------------------------------------
(Updated May 26, 2017, 4:44 p.m.)
Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert Levas, and Sebastian Toader.
Changes
-------
The previous patch doesn't always work because webhcat regenerates yarn-site at every startup, overwriting the placeholders with an empty string.
I uploaded a new patch that replaces the placeholders at the server side.
The principal names are collected from the kerberos descriptor and they're put into the replacementMap under the "principals" key.
The kerberos.json can refer to a principal name using the following format ${principals/resource_manager_rm|principalPrimary()}
Bugs: AMBARI-20877
https://issues.apache.org/jira/browse/AMBARI-20877
Repository: ambari
Description
-------
HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to `rm`.
If this user name does not match the primary component of the Yarn RM Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to access the state store and RM will stop immediately after start.
During the Kerberos wizard there needs to be a check to see if these settings are out of sync. Or, the zk-acl setting needs to somehow reference the principal and extract the primary root through a variable.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java 5c4728a
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java a1b9e5c
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java b9e2841
ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json ae4db4f
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json ae4db4f
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java f00f694
Diff: https://reviews.apache.org/r/59520/diff/2/
Changes: https://reviews.apache.org/r/59520/diff/1-2/
Testing
-------
- Create a cluster with yarn, hdfs
- enabled kerberos using custom principal names
- checked custom principal names in hadoop.registry.system.accounts and yarn.resourcemanager.zk-acl properties in yarn config
Tests: PENDING
Thanks,
Attila Magyar